Cryptographic Accumulators

Updated 20 October 2025

Cryptographic accumulators are data structures that compress a finite set into a compact digest, enabling concise proofs of membership or non-membership.
They leverage various constructions (RSA, Merkle trees, bilinear maps) to ensure strong security properties like collision resistance, soundness, and zero-knowledge.
Their applications range from certificate revocation and authenticated dictionaries to blockchain state compression and privacy-preserving credential systems.

A cryptographic accumulator is a space- and time-efficient data structure that “compresses” a finite set into a compact digest, enabling later verification of set membership (or non-membership) via succinct proofs. The key functionality is to allow efficient set-membership or set-exclusion queries, often with strong cryptographic guarantees such as collision resistance, soundness, zero-knowledge, and dynamic support for incremental set updates. Cryptographic accumulators are central to a broad spectrum of applications including authentication, privacy-preserving credential systems, authenticated dictionaries, certificate revocation, accumulative state representations in blockchain protocols, and privacy-enhanced user pseudonymisation schemes.

1. Core Concepts and Taxonomy

Cryptographic accumulators are classified as either symmetric or asymmetric. Symmetric accumulators (e.g., Bloom filters, Cuckoo filters) use multiple hash functions over a bit array or data structure and allow fast probabilistic membership queries with a bounded false positive rate, but lack cryptographic soundness guarantees. For Bloom filters, the false positive rate is modeled as $FPR = \left(1 - [1-\frac{1}{m}]^{kn}\right)^k$ , given $k$ hash functions and a filter length $m$ over $n$ inserted items (Ozcelik et al., 2021).

Asymmetric accumulators, in contrast, provide collision-free, cryptographically verifiable proofs based on hard problems such as RSA or Bilinear Diffie–Hellman. Canonical examples include:

Type	Core Mechanism	Witness Size
RSA-based	$acc_n = acc_{n-1}^x \bmod N$	Constant
Merkle tree-based	Root of hash tree; path from leaf to root	$O(\log N)$
Bilinear-map	$A(X) = g^{\prod_{x\in X}(x+s)}$	Constant

Symmetric accumulators are generally stateless (with respect to witnesses), while asymmetric accumulators require auxiliary data for membership/non-membership proofs. Some asymmetric accumulators require a trapdoor (trusted setup, as in RSA), while others are trapdoorless (e.g., Merkle trees, suitable for decentralized contexts) (Ozcelik et al., 2021).

2. Security and Design Properties

Accumulators satisfy fundamental security properties:

Soundness (collision-freeness): Infeasible to generate valid witnesses for elements not in the underlying set.
Completeness: All valid proofs verify for authentic members.
Undeniability: Impossible to create both membership and non-membership proofs for the same element.
Indistinguishability: The accumulator and its proofs leak no extraneous set information.

Optional features, with associated performance trade-offs, include:

Dynamic updates: Support for insertions and deletions (additive, subtractive, or both).
Proof types: Positive (membership only), negative (non-membership only), universal (both).
Zero-knowledge: Witnesses can be constructed to reveal nothing except validity (e.g., via ZK-SNARKs or Bulletproofs).
Trust model: Trusted accumulator managers enable more efficient operations, but at the cost of centralization and trust risk. Untrusted/strong accumulators provide better decentralization at increased per-proof and communication cost.

Performance is highly context dependent:

Scenario	Witness size	Proof verification cost	Note
Trusted (e.g., RSA)	Constant	Constant	Needs trapdoor
Untrusted (Merkle)	$O(\log n)$	$O(\log n)$	No trapdoor, decentralized
S. accumulator (BF)	Bit array (few bits)	Constant, but probabilistic	Allows false positives

3. Foundational Constructions

RSA Accumulators: Each set element is mapped to a prime representative $x_i$ , and the accumulator is updated via repeated modular exponentiation $A = a^{x_1 x_2 ... x_n} \bmod N$ (0905.1307). Membership witnesses for $e$ are computed as the accumulation of all other elements, and verification consists of checking $A_e^{x_e} \bmod N = A$ .
Bilinear-map Accumulators: In settings such as short proof enhanced certificate transparency, $(x+s)$ values are multiplied in the exponent to produce $A(X) = g^{\prod_{x\in X}(x+s)}$ (Singh et al., 2017). Membership and non-membership witnesses admit constant-size, pairing-based verification.
Merkle Tree Accumulators: Hash trees rooted at $H$ where internal nodes hash their children and leaves are elements of the set; path proofs entail logarithmic communication and verification, but do not require trusted setup (Kermezis et al., 2021).

Recent constructions extend the concept, e.g., coded Merkle trees (CMTs), which combine erasure coding and hashing to defend against data withholding and provide availability proofs at $O(\log b)$ communication cost (Yu et al., 2019).

4. Practical Applications

Cryptographic accumulators are deployed in numerous system architectures:

Certificate Revocation and Blacklisting: Using RSA or bilinear accumulators, lists of revoked credentials are compressed so that constant-size membership proofs can be generated for clients (as in PKI or CT logs) (0905.1307, Singh et al., 2017).
Authenticated Dictionaries: Untrusted directories can serve up constant-size (O(1)) cryptographic proofs of membership in efficiently updatable dictionaries (0905.1307).
Blockchain State Compression: SecurePrune and CompactChain compress UTXO sets in blockchains into constant-size RSA accumulator digests embedded in block headers, facilitating efficient state pruning, stateless client operation, and reduction in bootstrapping and storage costs (B, 2020, Reddy et al., 2022).
Privacy-Preserving Credentials: Attribute-based encryption systems leverage accumulators for efficient revocation—only allowing up-to-date, non-revoked keys to decrypt challenged ciphertexts (Bartolomeo, 2023).
Data Availability in Blockchains: CMTs employ accumulation across coded layers to provide succinct, verifiable proofs of data availability and tamper-evidence with a constant-size block header and logarithmic sampling, outperforming classic Merkle-only schemes in efficiency and scalability (Yu et al., 2019).
Pseudonymisation and Identity Privacy: Merkle accumulators allow users to construct unlinkable pseudonyms using only hashes and secret keys, ensuring post-quantum security and demonstrable ownership via Merkle authentication paths (Kermezis et al., 2021).
Decentralised, Privacy-Preserving Incentives: Black box accumulators based on elliptic curve commitments and ZK proofs capture user interaction histories for rewards while maintaining privacy and integrity guarantees in distributed loyalty systems (Ankele et al., 2023).

5. Algorithmic Strategies and Efficiency Trade-Offs

Accumulator designs introduce algorithmic choices that balance update speed, storage, communication, and verification efficiency. For RSA-based schemes, insertions are performed via a single modular exponentiation, but deletions require more careful engineering—precomputation and partitioned groupings can balance source-side work and directory-side work, achieving $O(p + n/p)$ update times for parameter $p$ , with constant-size verification (0905.1307). Batch operations and non-interactive proofs of exponentiation are used to support group additions and deletions in blockchain accumulators (B, 2020, Reddy et al., 2022). For Merkle-based approaches, logarithmic proof size and dynamic concatenation/split support are central (path hash accumulators offer efficient composability for interval queries and dynamic structures) (0908.4116).

Dynamic updates introduce the necessity of witness management: upon additions or deletions, either witnesses must be recomputed (costly in large sets) or carefully managed with auxiliary structures. Short (constant-sized) proofs are achievable in many bilinear and RSA-based designs, with O(log n) Merkle proofs representing the lower bound in trapdoorless constructions.

6. Security, Limitations, and Open Directions

Security fundamentally derives from the underlying hardness assumptions: strong RSA (for RSA accumulators), the $q$ -SDH assumption (for bilinear accumulators), or hash collision resistance (for Merkle). Advanced designs integrate zero-knowledge or privacy mechanism (e.g., non-interactive ZK, Bulletproofs, or select-and-rerandomize proofs) to avoid witness disclosure (Ankele et al., 2023). However, trusted setups pose centralization and risk; trapdoorless but logarithmic-size algorithms are preferred in decentralized or post-quantum targeted settings.

Limitations include the computational cost of batch witness updates on dynamic sets, sometimes incurring O(n) cost in the worst case, or the communication overhead for proof dissemination in vast distributed systems. Synchronization and update consistency present engineering and protocol-hardening challenges, particularly under high-throughput or adversarial settings.

Recent theoretical advancements, such as generalised entropy accumulation, offer tools for bounding the unpredictability and security of outputs generated by sequential accumulative processes, with direct implications for composable security in cryptographic accumulators (Metger et al., 2022).

7. Comparative Analysis and Selection Guidelines

The selection or design of a cryptographic accumulator is informed by application constraints:

If constant-size proof and verification is paramount, and a trusted setup is feasible, RSA or bilinear accumulators are advantageous (e.g., in constrained environments or when clients need minimal storage).
If complete decentralization and transparency is required or in a post-quantum context, Merkle accumulators or hash-based tree structures are preferred at the expense of logarithmic-size proofs.
If the application is tolerates false positives and values update speed over soundness, symmetric accumulators (Bloom, Cuckoo) can be appropriate.
For membership only (positive accumulators), both RSA and Merkle trees suffice; for universal (membership and non-membership) proofs, more sophisticated constructions or batch protocols are necessary.

The comparative table below summarizes several principal axes:

Criterion	RSA Accumulator	Merkle Tree	Bloom/Cuckoo Filter
Proof Size	Constant	$O(\log n)$	Constant
Verifiability	Cryptographic	Cryptographic	Probabilistic
Trusted Setup	Yes	No	No
Dynamism	Batch, Efficient	Efficient	Efficient
False Positives	No	No	Yes
Update Cost (per op)	$O(1)$ / $O(n)$	$O(\log n)$	$O(1)$

This summary reflects the state of the art as documented in surveyed arXiv preprints (0905.1307, 0908.4116, Singh et al., 2017, Yu et al., 2019, B, 2020, Ozcelik et al., 2021, Kermezis et al., 2021, Metger et al., 2022, Reddy et al., 2022, Bartolomeo, 2023, Ankele et al., 2023). Accumulators are a mature and practically significant class of cryptographic primitives; ongoing research continues to refine dynamic update strategies, improve decentralization and post-quantum security, and extend the spectrum of applications in privacy-preserving, scalable, and composable systems.